CN103229184A - Method and system for accessing secure resources - Google Patents

Fig. 1 illustrates the example of the

100 of supporting embodiments of the

100 shown in Fig. 1 comprises

102,

104,

106 and has a plurality of portable set 112(a), 112(b) ... 112(n) the

110 of the one or more access right in (wherein " n " is any suitable numeral).

102 is for example to be adapted to be the computing machine of the transmission and the link of deal with data or any combination of treatment facility.Network 102 can be privately owned Internet protocol (IP) network and the publicly-owned IP network that for example can utilize the Internet of WWW (www) function of browse.The example of cable network be to use the network of communication bus and MODEM or DSL line or Local Area Network or wide area network (WAN) so as to transmit and receiving terminal between data.The example of wireless network is a WLAN.Global system for mobile communications (GSM) is another example of wireless network.The GSM network is divided into three main systems, and described three main systems are exchange system, base station system and operation and back-up system (GSM).In addition, IEEE802.11(Wi-Fi) be normally used wireless network in computer system, it enables the Internet or has the connection of the other machines of Wi-Fi function.The Wi-Fi Web broadcast can be by the radiowave of the Wi-Fi receiver reception that is connected to the various computing machine.

104 can be the zone of for example door, computing machine (or addressable part of storer or computer equipment), safe physical cell and/or for example database, website or other restrictions or part restriction or network or the electronic position of the part of the network of VPN for example.In some cases,

104 can have a plurality of safe classes, for example provides from simple Email and calendar access to weigh for example financial report, address book and/or classified papers or have the more restricted zone in other zones of the information that needs limiting access or the computer network of the service range of the access right of grade or resource.The security system that is connected to secure

104 can be discerned

110 and just carry the

112 that can authenticate, and opens the wired or wireless connection to this portable set.

Server module or equipment or

106 normally have one or more processors of the storer that is associated, for example such as desktop PC, notebook, PDA(Personal Digital Assistant), radio hand-held equipment, cell phone, PLAYSTATION ^TM, and PSP ^TMDeng computing machine or other treatment facilities.They can oneself be handled and storage data or only can be after the access process of another location and data (that is thin and fat terminal) storage.

108 is shown as and comprises that

110 and

110 can have access right or proprietorial one or more portable set 112.At

108,

110 can carry or visit a plurality of portable set 112(a) ... (n) one or more in (being referred to as 112 usually here).

112 generally includes the equipment with processing power and storer and Output Display Unit, for example, and cell phone, PDA(Personal Digital Assistant), radio hand-held equipment, PLAYSTATION ^TM, and PSP ^TMDeng.

112 can own processing and storage and video data, or only can be after the access process of another location with data (that is thin and fat terminal) storage and show the data that visit or obtain.The function of

106 can also be that the part of

104 and/or

112 also is embodiments of the invention.

Use the

108 of

112 to submit security token to

106 via network 102.

106 receives security token and sends described token to secure

104 from user terminal 108.Then,

104 is carried out identifying based on the token that is received.

104,

106 and

108 are couple to

102 via the two-way communication medium that is associated, and the described two-way communication medium that is associated can be for example such as universal serial bus or other the wired or wireless transmission mediums of IEEE1394.

104,

106 and

108 can be communicator or customer location or subscriber's equipment or client terminal.

Fig. 2 illustrates the synoptic diagram of the example of

200 according to an embodiment of the invention.

When

110 wished the

104 of the zone of restriction of room, chamber or network that visit is for example locked or electronics storage area or database or part, the user used and is shown as his/her portable set (be shown as

112 and be shown as

216 in Fig. 1 in Fig. 2) that possesses fingerprint scanner so that carry out wireless or

250 with the

104 of the door of for example locking in Fig. 2.If

104 determines that finger scan is suitable, then

110 slips over his/her

208 on portable set 216.Then,

216 is communicated by letter with

104 about his/her fingerprint certificate.If fingerprint is accepted by

104, then release secure resources 104(promptly, the room of locking).

In addition, as shown in Figure 2,

210 and 212 diagrams possess other examples of the portable set of other possible security mechanisms.For example,

210

110 can the input digit password or the digital touch pad and/or the password of user ID or PIN(Personal Identification Number).In addition, portable set 212 possess

110 can his/her

214 of apposition so that the retina scanners of checking personal identification.

204 illustrated example are as the secure resources based on another type of the resource of PC.Various secure resources (being shown as 104,204) can be visited by one or more portable sets.Each secure resources (104,204) can have the resource security grade of variation.For example, though may need the retina scanners of particular individual for more high-grade resource security, the keypad with the digital button that allows the input digit sign indicating number can be enough for visit lower security grade resource.

As shown in Figure 2,

104 can have a plurality of safe classes for different services.Under the sort of situation, when authorizing the user access right and described user when asking specific service to secure resources, the secure token module of security system determines whether to authorize the access right of described user to institute's requested service according to the security token that is provided by described user.

Fig. 3 illustrates the series of steps of access security resource according to an embodiment of the invention.Fig. 3 illustrates the series of steps of for example storing or the process of program code or algorithm on electronic memory or computer-readable medium.For example, can be on the computer-readable medium of for example ROM, RAM, EEPROM, CD, DVD or other nonvolatile memories or non-provisional computer-readable medium the step of storage map 3.Described process can also be to comprise having thereon stored program code so that carry out the module of the electronic memory of described function.This storer is structurized article (article).As shown in Figure 3, described series of steps can be represented as and can be carried out or be carried out in addition so that carry out the function of being discerned by processor, processing unit, and can store described process flow diagram 300 in the one or more storeies that comprise non-provisional medium and signal and/or one or more electronic media and/or computer-readable medium.For example, can be on the computer-readable medium of for example ROM, RAM, CD, DVD or other nonvolatile memories, non-provisional medium the step of storage map 3.Stored program code is structurized element on the electronic memory medium.Can as any storer described herein in and for example in

112,

106 or

104 storage as the computer program code of the interchangeable form of process flow diagram 300.Described

300 starts from beginning step 302.

The user that

304 expression has a portable set is near secure resources and the request access right to secure

306, secure resources is discerned described portable set whether in the scope of secure resources.If do not identify the portable set that can authenticate, then "No"

307 is guided

308 into, user thereby portable set can more closely move to secure resources, be in close proximity to (enough near described resource make the distance that described resource can be communicated by letter with portable set) secure resources so that determine described equipment, and in

304, attempt to ask once more to visit.As by

311 expressions, can discern the electricity needs of secure resources.With reference to figure 9 this embodiment is described in more detail.In addition, be identified in the obtainable electric power in portable set place.This power level of portable set is useful to activating secure resources (or part of secure resources).The power level of portable set is portable set activation secure resources or the electric power that sends signal to secure resources.Can also determine the activation electric power of secure resources.This activates electric power is that secure resources (or its part) is activated to the required electric power of state of activation from dormancy or unactivated state.In case whether the power level of identification portable set can enough activate described resource (or its part) and make affirmation about the power level of portable set.If portable set electric power is enough, then portable set sends activation signal so that make secure resources activate to secure resources.

The distance that portable set can be communicated by letter with secure resources normally corresponding apparatus transmission electric power and/or receive the function of electric power.If identify the portable set that can authenticate in

306, then "Yes" line 309 is guided

310 into, and it can be that the connection of wired or wireless connection is so that discern portable set that

310 expression security system is opened.Then, in

312, portable set responds by sending its available authentication mechanism shown in Figure 4.

Whether

314 expression security system is determined in the available authentication mechanism or made up is to be fit to use.If there is not available authentication mechanism to be fit to, then "No"

315 is guided

316 into, and security system determines whether to exist any other portable set that is carried by the user in step 316.If determine that the user does not carry any other portable set that can authenticate, then "No" line 321 is guided

330 into, described

330 expression end step.Otherwise if identify other portable sets, then "Yes"

319 draws back step 310.Therefore, the portable set authentication capability determines iteration and identification repeatedly that relate to enough authentication capabilities or function.

Return refer

314, if it is acceptable determining in the available authentication mechanism or making up, then "Yes" line 317 is guided

318 into, and which authentication mechanism is described

318 expression security system use via wired or wireless communication notice portable set corresponding to the authentication mechanism needs that are fit to.

320 is illustrated in portable set and receives after the information about required security mechanism, and described portable set will obtain security token from user and/or portable set by required authentication mechanism.For example, if required authentication mechanism is a retina scanners, then portable set will ask the user that his/her eye is placed near the retina scanners, if and required authentication mechanism is the fingerprint scanner, then portable set will ask the user that his/her finger is placed near the fingerprint scanner.Then in

322, be transmitted in the security token that obtains in the

320 to the security system of secure resources.

324 expression security system determines whether the security token that is received is correct and/or is enough to authorize the access right of user to secure resources.If security token is incorrect or not enough, then "No" line 325 is guided

326 into, and described

326 expression security system will require portable set that other security tokens are provided.If portable set does not provide more security token, then "No" line 329 draws back

316, and described

316 expression security system determines whether to exist any other portable set that is carried by the user.If in

326, portable set will provide other security tokens that obtain from the user, and then "Yes"

331 draws back step 320.Return refer

324, if security token is correct in enough, then "Yes"

327 is guided

328 into, and the user is authorized in described

328 expression access right to secure resources, and arrives end

330.

Mention about Fig. 2 as the front,

104 can have a plurality of safe classes for different services.In this case, when authorizing the user access right and described user when asking specific service to secure resources, the secure token module of security system determines whether to authorize the access right of user to institute's requested service according to customer-furnished security token.

Fig. 4 diagram is according to an embodiment of the invention about the example of the information of authentication mechanism 400.The portable set that can authenticate is to the information of security system transmission about the

400 of described portable set, and described

400 comprises for

402, the touch-

404 that is used for virtual keypad, the touch-screen or the

406 that are used for the gesture input, the

408 that is used for the gesture input, can transmit private radio signal (bluetooth as the key of access security system, RF, IR etc.) or the

410 of private file,

412, the

414 that is used for face recognition,

416, be used for the

418 of speech recognition etc.Though about Fig. 4 illustrated authentication mechanism is shown, can also uses other authentication mechanism.

Fig. 5 illustrates the example of

500 according to an embodiment of the invention.

500 comprises

502,

504 and security service Registration Module 506.

500 can be module, " plug-in unit " unit, separate unit or the miscellaneous part that exists on another module or equipment.For example, as here describing, security service module can be the assembly of one or more

112,

106 and/or

104, or is carried out by one or more

112,

106 and/or

104.

502 is coupled to security

506 via the communication linkage that is associated so that make

502 and

504 can cooperate the processing operation of the module shown in Fig. 5.

502 comprises CPU510, described CPU510 normally comprises the processor of ALU (ALU) and control module (CU), described ALU is carried out arithmetic sum logical operation, and described control module utilizes ALU to extract instruction where necessary from storer and decodes and carry out them.The I/O interface can be used to operationally couple the assembly of

502.

504 stored programmes, described program comprise web browser for example, algorithm and typical operating system program (not shown), I/O (I/O) program (not shown), bios program (not shown) and help other programs of the operation of security service module 500.The Web browser (not shown) is for example such as Internet Explorer ^TMThe Internet browser

504 can be for example such as the electronic storage medium of the electronics storage repositories that can store the data of being used by security service module 500.

504 can comprise with for example RAM, the ROM of the form storing digital information of bit, EEPROM or other storage mediums of CD, optomagnetic band, CD or floppy disk, hard disk or removable cassette tape for

504 can also be the remote memory that is couple to

502 via wired or wireless two-way communication medium.Receiver/forwarder or

505 are used to from the portable set received signal.Forwarder is used to transmit signal from secure resources to portable set.

Security

506 comprises the security service of all different safety class.For example,

512 comprises the service of the safe class 1 of for example visiting Email and electronic calendar;

514 comprises the service of the

2 of for example visiting financial report and address book;

516 comprises the service of the

3 of for example visiting classified papers; Deng.

Fig. 6 diagram is visited the series of steps of the service of the secure resources with a plurality of safe classes according to an embodiment of the invention.Fig. 6 represents the series of steps of for example storing or the process of program code or algorithm on electronic memory or computer-readable medium.For example, can be on the computer-readable medium of for example ROM, RAM, EEPROM, CD, DVD or other nonvolatile memories or non-provisional computer-readable medium the step of storage map 6.Described process can also be to comprise having program code stored thereon so that carry out the module of the electronic memory of described function.This storer is structurized article.Can as any storer described herein in and for example in

112,

106 or

104 storage as the computer program code of the interchangeable form of process flow diagram 600.As shown in Figure 6, described series of steps can be represented as the process flow diagram 600 that can be carried out by the security service module of Fig. 5.Process 600 starts from beginning step 602.

Fig. 7 illustrates the example of

112 according to an embodiment of the invention.In Fig. 7,

112 is depicted as cell phone.Keypad 704 has a plurality of keys that can be used to the access security

702 and OptionButton 706 can be used to conveniently to be used for the operation of the pattern of visiting, but not make a phone call.

708 can be used to obtain biometric data (for example, retina scanning, fingerprint) from the user.Viewing area, user interface or

718 can be used to provide available resources 720(a) ... (n) demonstration of (wherein " n " is any suitable numeral).Forwarder 730 can be used to slave

112 to any amount of resource (as describing) transmission signal here.According to the transmission intensity of

730, described equipment can begin communicate by letter (for example, the radio communication) with any resource in the signal distance of equipment 112.Sensor 740 can also be used to determine whether

112 can begin and the communicating by letter of resource.

740 be used to sensing from

112 can accessed resources signal.Sensor can be used to export the

742 that described equipment enough is in close proximity to

742 can be audio frequency and/or the visable representation that detects the

740 of resource, for example LED, light, sound signal, bell sound or other alarms.

Activate or

750 can be used to recognition resource in power-down mode or " sleep " pattern so that preservation electric power.

750 can be in conjunction with

730 operation, so that transmit signal to resource from

112, and need be at enable mode but not operate in the power-down mode thereby signal resource.Therefore,

112 can be the resource of non-activation in long-time section by utilizing battery or

750 to activate.

112 can be registered in advance to any amount of resource, make if portable set in preset distance,

112 just begins and the communicating by letter of one or more specific resources.For example the sign indicating number of equipment PIN or apparatus figure or device identifier can be used to related one or more equipment of authorizing so that open or visit or the one or more resources of sensing.

112 can also comprise be used to store as here describe for implementing the useful algorithm of access function and one or more storeies of program.

Fig. 8 illustrates the example of

104 according to an embodiment of the

104 comprises forwarder 802, authentication module 860,

870,

806,

842,

824 and processor 826.These elements or module can operationally be coupled by bus 890.For example the module of authentication module 860,

870 can be that for example

826 operations are so that the non-provisional electronics storage register of the function of the algorithm of execution storage therein or program code.

802 is used to transmit signal from

104 to portable

870 is used to detect portable set in the transmission signal distance of resource.Authentication ' unit 860 is used to receive the transmission signal and determine whether the token that is transmitted by portable set is acceptable for certain access level from portable set.The access level of authorizing depends on the type of the token of reception.

806 is used to visit the zone of the

104 of being authorized by authentication module 860.

806 can be lock or latch or electronic access ability.When receiving the mandate of acceptance, this

806 will be provided by (that is, providing or enable access).When not receiving necessary mandate,

806 will can not be opened (that is denied access).

806 can allow optionally to visit.For example,

806 can allow user capture or check some part of database, forbids checking other parts of the database of the authentication that needs are strengthened simultaneously.

824 and

826 are used for

104 storage data and execution command respectively.

Figure 11 illustrates the processing of

112 according to an embodiment of the invention and the example of memory module.Portable set 112 comprises

1103 and

1105.

CPU1103 and

1105 operationally couple, and make CPU1103 can carry out the processing of the data of storage in storer 1105.Usually,

1103 is processors, and for example commercially available comprises ALU and other electronic packages and circuit so that carry out the computer processor of data processing.

1105 comprises

900, scanner module (fingerprint) 1112, adjacent sensor module 1019,

1108,

1114, scanner module (retina) 1116,

1118 and authentication module 1150.I/

1115 and GUI1104 also are shown among Figure 11.Normally carry out the program code of the instruction of on non-provisional, computer-readable medium, storing as the described module of in storer, storing, and be to utilize the example component software of one or more nextport hardware component NextPort operations in the sensor assembly as shown in Figure 4.

As described in about Fig. 9,

900 is the memory modules that are used to storing process and step and program code, described process and step and program code be for example on non-provisional computer-readable medium, store, can carry out so that determine

112 whether to provide the instruction of electric power by the processor of for example CPU1103 to secure

900 is used to transmit the signal that activates secure resources and electric power signal is

900 can be stored as the threshold value power value that activates the required minimum power of secure resources.Using this minimum value to make does not waste unnecessary electric power when activating secure resources.

1112 provides the module of the computer code of the instruction of for example storing on non-provisional computer-readable medium, when described module is used when the combined with hardware assembly, allow the biometric data of the finger print data that identification for example obtains by the finger print input device that for example is shown as the

216 here in Fig. 2.

1109 is for example to control sensor so that determine at what distance secure resources will distinguish the program code of portable set.This distance can be based on quantity, the safe class of portable set and the safe class of secure resources of the type of the type of secure resources, portable set, possible portable set.For example, if secure resources has the lower security threshold requirement, then be that portable set is with the sensing secure resources more possibly.If secure resources has high threshold, then secure resources may not provide the portable set can detected signal, and therefore, portable set will can not sense it in the distance of the selection of secure resources.

1109 normally can be via 1115 receptions of I/O module and the combination that transmits the hardware and software component of signal.The code modules of adjacent sensor module shown in Figure 11 and in Fig. 7, hardware is depicted as element 740.Adjacent sensor module (hardware and software) be adapted to be determine can the access security resource selection at what distance

112 part or zone.

1108 is used to detect the motion with respect to the user of portable set 112.

1108 is stored program code on for example handling from the non-provisional computer-readable medium of the input of the sensor shown in Fig. 4 406.The program code of

1108 determines that the user is making the gesture of what type and user whether in the preselected distance of portable set.The motion that senses may be enough to open or the access security resource, the automatically-controlled door or other secure resources that for example can be only activate by the existence with respect to the user of portable set.

1114 is shown as the memory location of the instruction of the image that storage identification obtains the camera of

414 or other image pickup apparatus as shown in Figure 4 from

1114 and nextport

414 can be used to distinguish facial characteristics or other images so that allow visit to secure resources.

1116 be shown as memory by using as the program code of the operation of scanner here described in case the biometric data of test example such as retina data so that determine memory location to the visit of secure resources.

1118 is shown as program code stored so that operation and for example distinguishes the sound that obtained by the loudspeaker shown in Fig. 4 418 and the memory location of the speech data of voice.The software of

1118 is adapted to be determines whether the voice signal that receives mates voice signal storage, that authorize and output is confirmed or signal or other output of refusal coupling.

1150 is stored program code in the

1105 that can be used to storage instruction, can carry out described instruction so that whether determine secure resources can communicate by letter with portable set by CPU1103, thus and user or holder's visit of authorizing secure resources permission portable set portable

1150 can be in conjunction with I/

1115 operation, described I/

1115 be for example operate in case to secure resources, server or other positions send signal or verify data and/or from secure resources, server or other position received signals or verify data so that help to utilize portable set to distinguish and/or forwarder, receiver or the transceiver of the operation of access security resource.

GUI1104 provides user interface so that via user's input operation and control

112 to the user.GUI1104 can comprise keyboard, touch-screen, mouse and other input equipment (not shown) and screen, display or monitor (not shown) in case display image data and audio output apparatus (not shown) so that outputting audio data.

1. an external unit obtains the method to the access right of the safety zone of resource, comprising:

Transmission is with the signal of described recognition of devices for authenticating;

Receive the beginning of communicating by letter with described resource;

In response to the beginning of described communication, described authentication mechanism is the hardware device that is used to discern the attribute of user of described equipment by the one or more authentication mechanisms that transmit described equipment;

Reception is to the request of the one or more use in the described authentication mechanism;

The token of each in the authentication mechanism that transmission is asked; And

In response to accept one or more in the described token by described resource and obtain access right to described secure resources.

2. the method for claim 1, the wherein said beginning is radio communication.

3. the method for claim 1, wherein said equipment is portable set.

4. the method for claim 1, wherein said authentication mechanism be described equipment all.

5. the method for claim 1, wherein said authentication mechanism is a biometric.

6. the method for claim 1, wherein biometric data comprises the retina scanning data.

7. the method for claim 1, wherein said authentication mechanism is a password.

8. the method for claim 1, wherein said equipment transmits activation signal to described resource.

9. the method for claim 1, wherein said equipment transmits electric power to described resource and generates signal.

10. a resource is authorized method to the access right of the safety zone of described resource to external unit, comprising:

From the described external unit received signal that can authenticate;

Beginning and described external device communication;

Receive the tabulation of one or more authentication tokens that described external unit can provide, described authentication token is the result of hardware device who is used to discern the attribute of user of described external unit;

Transmission is for the request of one or more authentication tokens;

Receive one or more authentication tokens in response to described request; And

Authorize access right based on the acceptability of described one or more authentication tokens to described external unit to described safety zone.

11. method as claimed in claim 10, wherein said communication is radio communication.

12. method as claimed in claim 10, wherein said authentication token is from biometric equipment.

13. method as claimed in claim 10, wherein said resource transmits activation signal to described external unit.

14. method as claimed in claim 10, wherein said resource transmits electric power to described external unit.

15. a portable set that is used to obtain to the access right of the safety zone of resource comprises:

Forwarder, it transmits the signal of described recognition of devices for authenticating;

Receiver, it receives the beginning of communicating by letter with described resource;

Controller, it transmits by the one or more authentication mechanisms that transmit described equipment and in response to the beginning of described communication;

Wherein said receiver receives the request to the one or more use in the described authentication mechanism;

The token of each in the authentication mechanism that wherein said forwarder transmission is asked; And

Wherein said device responds one or more in the token of accepting by described resource and obtain access right to described safety zone.

16. method as claimed in claim 15, wherein said communication is radio communication.

17. one kind is used for authorizing authentication ' unit to the described resource of the access right of the safety zone of resource to external unit, comprises:

First receiver, it is collected mail number from the described external unit that can authenticate;

Communicator, it begins and described external device communication;

Wherein said receiver receives the tabulation of one or more authentication tokens that described external unit can provide, and described authentication token is the result of hardware device who is used to discern the attribute of user of described external unit;

Forwarder, it transmits the request to one or more authentication tokens;

Wherein said receiver receives one or more authentication tokens in response to described request; And

Authenticator, it is based on the acceptability of described one or more authentication tokens and authorize the access right of described external unit to described safety zone.

18. authentication ' unit as claimed in claim 17, wherein said communication is wireless.